practice_terraforming 0.1.3

data/Rakefile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/bin/practice_terraforming

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "practice_terraforming"
+
+PracticeTerraforming::CLI.start(ARGV)

data/lib/practice_terraforming.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require "aws-sdk-iam"
+require "aws-sdk-s3"
+require "multi_json"
+require "thor"
+require "erb"
+
+require "practice_terraforming/util"
+require 'practice_terraforming/version'
+
+require "practice_terraforming/cli"
+require "practice_terraforming/resource/iam_role"
+require "practice_terraforming/resource/iam_role_policy_attachment"
+require "practice_terraforming/resource/iam_policy_attachment"
+require "practice_terraforming/resource/s3"

data/lib/practice_terraforming/cli.rb

@@ -0,0 +1,92 @@
+# frozen_string_literal: true
+
+module PracticeTerraforming
+  class CLI < Thor
+    class_option :merge, type: :string, desc: "tfstate file to merge"
+    class_option :overwrite, type: :boolean, desc: "Overwrite existing tfstate"
+    class_option :tfstate, type: :boolean, desc: "Generate tfstate"
+    class_option :profile, type: :string, desc: "AWS credentials profile"
+    class_option :region, type: :string, desc: "AWS region"
+    class_option :assume, type: :string, desc: "Role ARN to assume"
+    class_option :use_bundled_cert,
+                 type: :boolean,
+                 desc: "Use the bundled CA certificate from AWS SDK"
+
+    # Subcommand name should be acronym.
+    desc "iamr", "Iam Role"
+    def iamr
+      execute(PracticeTerraforming::Resource::IAMRole, options)
+    end
+
+    desc "s3", "S3"
+    def s3
+      execute(PracticeTerraforming::Resource::S3, options)
+    end
+
+    desc "iampa", "Iam Policy Attachment"
+    def iampa
+      execute(PracticeTerraforming::Resource::IamPolicyAttachment, options)
+    end
+
+    desc "iamrpa", "Iam Role Policy Attachment"
+    def iamrpa
+      execute(PracticeTerraforming::Resource::IamRolePolicyAttachment, options)
+    end
+
+    private
+
+    def configure_aws(options)
+      Aws.config[:credentials] = Aws::SharedCredentials.new(profile_name: options[:profile]) if options[:profile]
+      Aws.config[:region] = options[:region] if options[:region]
+
+      if options[:assume]
+        args = { role_arn: options[:assume], role_session_name: "terraforming-session-#{Time.now.to_i}" }
+        args[:client] = Aws::STS::Client.new(profile: options[:profile]) if options[:profile]
+        Aws.config[:credentials] = Aws::AssumeRoleCredentials.new(args)
+      end
+
+      Aws.use_bundled_cert! if options[:use_bundled_cert]
+    end
+
+    def execute(klass, options)
+      configure_aws(options)
+      result = options[:tfstate] ? tfstate(klass, options[:merge]) : tf(klass)
+
+      if options[:tfstate] && options[:merge] && options[:overwrite]
+        open(options[:merge], "w+") do |f|
+          f.write(result)
+          f.flush
+        end
+      else
+        puts result
+      end
+    end
+
+    def tf(klass)
+      klass.tf
+    end
+
+    def tfstate(klass, tfstate_path)
+      tfstate = tfstate_path ? MultiJson.load(open(tfstate_path).read) : tfstate_skeleton
+      tfstate["serial"] = tfstate["serial"] + 1
+      tfstate["modules"][0]["resources"] = tfstate["modules"][0]["resources"].merge(klass.tfstate)
+      MultiJson.encode(tfstate, pretty: true)
+    end
+
+    def tfstate_skeleton
+      {
+        "version" => 1,
+        "serial" => 0,
+        "modules" => [
+          {
+            "path" => [
+              "root"
+            ],
+            "outputs" => {},
+            "resources" => {}
+          }
+        ]
+      }
+    end
+  end
+end

data/lib/practice_terraforming/resource/iam_policy_attachment.rb

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+module PracticeTerraforming
+  module Resource
+    class IamPolicyAttachment
+      include PracticeTerraforming::Util
+
+      def self.tf(client: Aws::IAM::Client.new)
+        self.new(client).tf
+      end
+
+      def self.tfstate(client: Aws::IAM::Client.new)
+        self.new(client).tfstate
+      end
+
+      def initialize(client)
+        @client = client
+      end
+
+      def tf
+        apply_template(@client, "tf/iam_policy_attachment")
+      end
+
+      def tfstate
+        iam_policy_attachments.inject({}) do |resources, policy_attachment|
+          attributes = {
+            "id" => policy_attachment[:name],
+            "name" => policy_attachment[:name],
+            "policy_arn" => policy_attachment[:arn],
+            "groups.#" => policy_attachment[:entities].policy_groups.length.to_s,
+            "users.#" => policy_attachment[:entities].policy_users.length.to_s,
+            "roles.#" => policy_attachment[:entities].policy_roles.length.to_s
+          }
+          resources["aws_iam_policy_attachment.#{module_name_of(policy_attachment)}"] = {
+            "type" => "aws_iam_policy_attachment",
+            "primary" => {
+              "id" => policy_attachment[:name],
+              "attributes" => attributes
+            }
+          }
+
+          resources
+        end
+      end
+
+      private
+
+      def attachment_name_from(policy)
+        "#{policy.policy_name}-policy-attachment"
+      end
+
+      def entities_for_policy(policy)
+        result = Aws::IAM::Types::ListEntitiesForPolicyResponse.new
+        result.policy_groups = []
+        result.policy_users = []
+        result.policy_roles = []
+        @client.list_entities_for_policy(policy_arn: policy.arn).each do |resp|
+          result.policy_groups += resp.policy_groups
+          result.policy_users += resp.policy_users
+          result.policy_roles += resp.policy_roles
+        end
+
+        result
+      end
+
+      def iam_policies
+        @client.list_policies(scope: "All", only_attached: true).map(&:policies).flatten
+      end
+
+      def iam_policy_attachments
+        iam_policies.map do |policy|
+          {
+            arn: policy.arn,
+            entities: entities_for_policy(policy),
+            name: attachment_name_from(policy)
+          }
+        end
+      end
+
+      def module_name_of(policy_attachment)
+        normalize_module_name(policy_attachment[:name])
+      end
+    end
+  end
+end

data/lib/practice_terraforming/resource/iam_role.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+module PracticeTerraforming
+  module Resource
+    class IAMRole
+      include PracticeTerraforming::Util
+
+      def self.tf(client: Aws::IAM::Client.new)
+        self.new(client).tf
+      end
+
+      def self.tfstate(client: Aws::IAM::Client.new)
+        self.new(client).tfstate
+      end
+
+      def initialize(client)
+        @client = client
+      end
+
+      def tf
+        apply_template(@client, "tf/iam_role")
+      end
+
+      def tfstate
+        iam_roles.inject({}) do |resources, role|
+          attributes = {
+            "arn" => role.arn,
+            "assume_role_policy" =>
+              prettify_policy(role.assume_role_policy_document, breakline: true, unescape: true),
+            "id" => role.role_name,
+            "name" => role.role_name,
+            "description" => role.description,
+            "path" => role.path,
+            "unique_id" => role.role_id
+          }
+          resources["aws_iam_role.#{module_name_of(role)}"] = {
+            "type" => "aws_iam_role",
+            "primary" => {
+              "id" => role.role_name,
+              "attributes" => attributes
+            }
+          }
+
+          resources
+        end
+      end
+
+      private
+
+      def iam_roles
+        @client.list_roles.map(&:roles).flatten
+      end
+
+      def module_name_of(role)
+        normalize_module_name(role.role_name)
+      end
+    end
+  end
+end

data/lib/practice_terraforming/resource/iam_role_policy_attachment.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+module PracticeTerraforming
+  module Resource
+    class IamRolePolicyAttachment
+      include PracticeTerraforming::Util
+
+      def self.tf(client: Aws::IAM::Client.new)
+        self.new(client).tf
+      end
+
+      def self.tfstate(client: Aws::IAM::Client.new)
+        self.new(client).tfstate
+      end
+
+      def initialize(client)
+        @client = client
+      end
+
+      def tf
+        apply_template(@client, "tf/iam_role_policy_attachment")
+      end
+
+      def tfstate
+        iam_role_policy_attachments.inject({}) do |resources, role_policy_attachment|
+          attributes = {
+            "id" => role_policy_attachment[:name],
+            "policy_arn" => role_policy_attachment[:policy_arn],
+            "role" => role_policy_attachment[:role]
+          }
+          resources["aws_iam_role_policy_attachment.#{module_name_of(role_policy_attachment)}"] = {
+            "type" => "aws_iam_role_policy_attachment",
+            "primary" => {
+              "id" => role_policy_attachment[:name],
+              "attributes" => attributes
+            }
+          }
+
+          resources
+        end
+      end
+
+      private
+
+      def attachment_name_from(role, policy)
+        "#{role.role_name}-#{policy.policy_name}-attachment"
+      end
+
+      def iam_roles
+        @client.list_roles.map(&:roles).flatten
+      end
+
+      def policies_attached_to(role)
+        @client.list_attached_role_policies(role_name: role.role_name).attached_policies
+      end
+
+      def iam_role_policy_attachments
+        iam_roles.map do |role|
+          policies_attached_to(role).map do |policy|
+            {
+              role: role.role_name,
+              policy_arn: policy.policy_arn,
+              name: attachment_name_from(role, policy)
+            }
+          end
+        end.flatten
+      end
+
+      def module_name_of(role_policy_attachment)
+        normalize_module_name(role_policy_attachment[:name])
+      end
+    end
+  end
+end

data/lib/practice_terraforming/resource/s3.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+module PracticeTerraforming
+  module Resource
+    class S3
+      include PracticeTerraforming::Util
+
+      def self.tf(client: Aws::S3::Client.new)
+        self.new(client).tf
+      end
+
+      def self.tfstate(client: Aws::S3::Client.new)
+        self.new(client).tfstate
+      end
+
+      def initialize(client)
+        @client = client
+      end
+
+      def tf
+        apply_template(@client, "tf/s3")
+      end
+
+      def tfstate
+        buckets.inject({}) do |resources, bucket|
+          bucket_policy = bucket_policy_of(bucket)
+          resources["aws_s3_bucket.#{module_name_of(bucket)}"] = {
+            "type" => "aws_s3_bucket",
+            "primary" => {
+              "id" => bucket.name,
+              "attributes" => {
+                "acl" => "private",
+                "bucket" => bucket.name,
+                "force_destroy" => "false",
+                "id" => bucket.name,
+                "policy" => bucket_policy ? bucket_policy.policy.read : ""
+              }
+            }
+          }
+
+          resources
+        end
+      end
+
+      private
+
+      def bucket_location_of(bucket)
+        @client.get_bucket_location(bucket: bucket.name).location_constraint
+      end
+
+      def bucket_policy_of(bucket)
+        @client.get_bucket_policy(bucket: bucket.name)
+      rescue Aws::S3::Errors::NoSuchBucketPolicy
+        nil
+      end
+
+      def buckets
+        @client.list_buckets.map(&:buckets).flatten.select { |bucket| same_region?(bucket) }
+      end
+
+      def module_name_of(bucket)
+        normalize_module_name(bucket.name)
+      end
+
+      def same_region?(bucket)
+        bucket_location = bucket_location_of(bucket)
+        (bucket_location == @client.config.region) || (bucket_location == "" && @client.config.region == "us-east-1")
+      end
+    end
+  end
+end

data/lib/practice_terraforming/template/tf/iam_policy_attachment.erb

@@ -0,0 +1,10 @@
+<% iam_policy_attachments.each do |policy_attachment| -%>
+resource "aws_iam_policy_attachment" "<%= module_name_of(policy_attachment) %>" {
+    name       = "<%= policy_attachment[:name] %>"
+    policy_arn = "<%= policy_attachment[:arn] %>"
+    groups     = <%= policy_attachment[:entities].policy_groups.map(&:group_name).inspect %>
+    users      = <%= policy_attachment[:entities].policy_users.map(&:user_name).inspect %>
+    roles      = <%= policy_attachment[:entities].policy_roles.map(&:role_name).inspect %>
+}
+
+<% end -%>

data/lib/practice_terraforming/template/tf/iam_role.erb

@@ -0,0 +1,11 @@
+<% iam_roles.each do |role| -%>
+resource "aws_iam_role" "<%= module_name_of(role) %>" {
+    name               = "<%= role.role_name %>"
+    description        = "<%= role.description %>"
+    path               = "<%= role.path %>"
+    assume_role_policy = <<POLICY
+<%= prettify_policy(role.assume_role_policy_document, unescape: true) %>
+POLICY
+}
+
+<% end -%>